2 Solution Note: The descriptions below assume VOS v5.1 or later. Those configurations that do not utilize Proxy ARP will also work for older versions of VOS. There are multiple ways to configure a VPN / firewall in conjunction with an EdgeMarc appliance. Each has various tradeoffs. The table below is a starting point to determine the appropriate configuration for your environment. EdgeMarc 200/250/4300/45XX/46XX/5300LF2 Non-VLAN-capable Ethernet switch One public WAN IP range available. Two Enet drops available per office/desk. See Sub-option A1: Split LAN Ethernets, page 3. This offers full Plug n Dial for phones. One Enet drop available per office/desk. See Sub-option A2: Single LAN Ethernet, using separate PC & Phone subnets, page 8. Phones must be manually configured in this layout. See Sub-option A3: Single LAN Ethernet, using the same PC & Phone subnet, page 9. Phones can share PCs DHCP server Two (or more) public IP ranges. Want one (or more) subnets routed through the EdgeMarc to its LAN interface. See Sub-option C1: VLAN-capable EdgeMarc, page 14. VLAN-capable Ethernet switch One public WAN IP range available. See Sub-option D1: VLAN-capable EdgeMarc, page 20. EdgeMarc 4200/5300/6400 Non-VLAN-capable Ethernet switch One public WAN IP range available. Two Enet drops available per office/desk. See Sub-option B1: Split LAN Ethernets, page 11. This offers full Plug n Dial for phones. One Enet drop available per office/desk. See Sub-option B2: One LAN Ethernet, page 13 This option isn t supported. See text for details. Two (or more) public IP ranges. Want one (or more) subnets routed through the EdgeMarc to its LAN interface. Two Enet drops available per office/desk. See Sub-option C2: Non-VLAN EdgeMarc, page 18 This configuration requires two Enet drops per office/desk. One Enet drop available per office/desk. See Sub-option B2: One LAN Ethernet, page 13. This option isn t supported. See text for details. VLAN-capable Ethernet switch One public WAN IP range available. See Sub-option D2: Non-VLAN EdgeMarc, page 26 Page 2

3 Option A: VLAN-capable Edgewater appliance, non-vlan switches, one WAN subnet Sub-option A1: Split LAN Ethernets Characteristics EdgeMarc provides NAT, Firewall and DHCP Plug n Dial to phones 3 rd -party firewall provides NAT, Firewall and DHCP to PCs WAN interface has one free IP address: The EdgeMarc is assigned one IP address from the WAN subnet Other address(es), including the one already being used by the 3 rd -party Firewall/VPN device, are bridged through the EdgeMarc to its LAN interface. EdgeMarc LAN interface uses two VLANs VLAN #2730 with private subnet for phones (associated with EM LAN port 4). This LAN uses standard frames. VLAN #2 with a public subnet for the 3 rd -party VPN / Firewall device (associated with EM LAN port 3). This LAN uses standard frames. Limitations This configuration requires two drops per cube or office. DHCP is used separately for PCs and Phones, requiring two broadcast domains. Two broadcast domains means two LANs. This configuration is only possible on Edgewater appliances that provide VLAN support (200/250/4300/4500/4600 Series EdgeMarcs). Page 3

7 When done, the Proxy ARP screen should look similar to the following: PROXY ARP Page: Page 7

8 Sub-option A2: Single LAN Ethernet, using separate PC & Phone subnets Characteristics EdgeMarc provides NAT and Firewall to phones 3 rd -party firewall provides NAT, Firewall and DHCP to PCs WAN interface has one free IP address: The EdgeMarc is assigned one IP address from the WAN subnet Other address(es), including the one already being used by the 3 rd -party Firewall/VPN device, are bridged through the EdgeMarc to its LAN interface. EdgeMarc LAN interface uses two VLANs VLAN #2730 with private subnet for phones (associated with EM LAN port 4). This LAN uses standard frames. VLAN #2 with a public subnet for the 3 rd -party VPN / Firewall device (associated with EM LAN port 3). This LAN uses standard frames. Limitations DHCP and Plug n Dial not available for Phones Phones must be manually configured with IP addresses in the subnet and a SIP Proxy or MGCP Control Server address of the EdgeMarc. This configuration is only possible on Edgewater appliances that provide VLAN support, (200/250/4300/4500/4600 Series EdgeMarcs). Page 8

9 Implementation Steps Follow all the steps in Sub-option A1: Split LAN Ethernets, above, except: Skip step 5. Enable DHCP on VLAN #2730 Sub-option A3: Single LAN Ethernet, using the same PC & Phone subnet Characteristics EdgeMarc provides ALG functionality to phones 3 rd -party firewall provides NAT, Firewall and DHCP to PCs and phones Phones receive IP addresses from the same pool as PCs. Default router for PC and phones is 3 rd -party firewall EdgeMarc is SIP Proxy or MGCP Control Server to phones WAN interface has one free IP address: The EdgeMarc is assigned one IP address from the WAN subnet Other address(es), including the one already being used by the 3 rd -party Firewall/VPN device, are bridged through the EdgeMarc to its LAN interface. EdgeMarc LAN interface uses two VLANs VLAN #2730 with private subnet for phones, and shared by PCs (associated with EM LAN port 4). This LAN uses standard frames. VLAN #2 with a public subnet for the 3 rd -party VPN / Firewall device (associated with EM LAN port 3). This LAN uses standard frames. Page 9

11 Option B: Non-VLAN Edgewater appliance, non-vlan switches, one WAN subnet Sub-option B1: Split LAN Ethernets Charocteristics EdgeMarc provides NAT, Firewall and DHCP Plug n Dial to phones 3 rd -party firewall provides NAT, Firewall and DHCP to PCs WAN interface has one free IP address: The EdgeMarc is assigned one IP address from the WAN subnet Other address(es), including the one already being used by the 3 rd -party Firewall/VPN device, are bridged through the EdgeMarc to its LAN interface. Limitations This configuration requires two drops per cube or office. DHCP is used separately for PCs and Phones, requiring two broadcast domains. Two broadcast domains means two LANs. Page 11

13 Sub-option B2: One LAN Ethernet Edgewater does not recommend this design. With one LAN Ethernet and only one LAN on the EdgeMarc, broadcasts (such as ARPs) issued by the VPN/Firewall device on one of its interfaces will loop around and be heard on its other interface. Additionally, some models of firewalls will actually rebroadcast a message from one interface to the other, causing a packet storm. Certain VPN/Firewall devices, such as the PIX, can handle this topology, but such devices are the exception. Page 13

14 Option C: VLAN or Non-VLAN Edgewater appliance, non-vlan switches, two WAN subnets Sub-option C1: VLAN-capable EdgeMarc Characteristics Create two LAN-side VLANs: One VLAN with a public subnet for the 3 rd -party VPN / Firewall device (associated with EM LAN port 3) One VLAN with private subnet for phones (associated with EM LAN port 1) VPN / Firewall device provides DHCP, Firewall and NAT to PCs and servers The VPN creates a third subnet ( , above), but it is ignored by the EdgeMarc and only used by the VPN and associated PCs. EdgeMarc provides Firewall and NAT to phones Limitations Plug n Dial not available for Phones Phones must be manually configured with SIP Proxy or MGCP Control Server address. This configuration is only possible on Edgewater appliances that provide VLAN support (200/250/4300/4500/4600 Series EdgeMarcs). Page 14

24 5. Enable DHCP on VLAN #200 When done, the DHCP page should look similar to the following: 6. Enable Firewall 7. System -> Proxy ARP Configure Proxy ARP so that the EdgeMarc bridges the external Firewall s IP address from the EM s WAN i/f to its LAN i/f. o VLAN 2 is associated with LAN Port 3 o The IP address to be forwarded is /32 o Bridge traffic back to the default gateway Page 24

25 When done, the Proxy ARP screen should look similar to the following: Page 25

30 LAN sub-interface Configuration: Step 3 The Firewall must be configured to pass through VoIP protocols to the EdgeMarc. The firewall can not perform NAT, if it does it will break VoIP protocol. Since the EdgeMarc is a VoIP proxy, all VoIP packets will have a source or destination IP address of the EdgeMarc s WAN interface. This can be used to help set up appropriately tight rules on the Firewall. The Firewall must be opened for the following ports (to and from the EdgeMarc): In all cases FTP TCP 21 HTTP TCP 80 RTP UDP 16386:21785 * SNMP UDP 161 SSH TCP 22 Telnet TCP 23 TFTP UDP 69 SNTP TCP 123 MGCP phones MGCP UDP 2427, 2429, 2432, 2727 SIP phones SIP UDP 5060 Page 30

Firewall Defaults, Public Server Rule, and Secondary WAN IP Address This quick start guide provides the firewall defaults and explains how to configure some basic firewall rules for the ProSafe Wireless-N

Knowledgebase Solution Updated: 2/27/2014 Configuring an EdgeMarc for SIP trunking with an IP PBX This document describes the steps needed to configure an IP PBX behind the EdgeMarc which is pointing to

SSVP SIP School VoIP Professional Certification Exam Objectives The SSVP exam is designed to test your skills and knowledge on the basics of Networking and Voice over IP. Everything that you need to cover

Edgewater Routers User Guide For use with 8x8 Service Version 1.0, March 2011 Table of Contents EdgeMarc 200AE1-10 Router Overview...3 EdgeMarc 4550-15 Router Overview...4 Basic Setup of the 200AE1 and

Local Area Network (LAN) Architecture for Hosted Voice Services November 2011 Version 12.1 Table of Contents Table of Contents... 2 Overview... 3 Benefits of the NPP LAN Design Requirements... 5 Public

Configuring the Edgewater 4550 for use with the Bluestone Hosted PBX NOTE: This is an advisory document to be used as an aid to resellers and IT staff looking to use the Edgewater 4550 in conjunction with

Installation of the On Site Server (OSS) rev 1.1 Step #1 - Initial Connection to the OSS Having plugged in power and an ethernet cable in the eth0 interface (see diagram below) you can connect to the unit

How To - Configure Virtual Host using FQDN How To Configure Virtual Host using FQDN Applicable Version: 10.6.2 onwards Overview Virtual host implementation is based on the Destination NAT concept. Virtual

Session Title: Exploring Packet Tracer v5.3 IP Telephony & CME Scenario With the scheduled release of Packet Tracer v5.3 in the near future, this case study is designed to provide you with an insight into

A firewall is a software- or hardware-based network security system that allows or denies network traffic according to a set of rules. Firewalls can be categorized by their location on the network: A network-based

Hosted Voice Best Practice Recommendations for VoIP Deployments Thank you for choosing EarthLink! EarthLinks best in class Hosted Voice phone service allows you to deploy phones anywhere with a Broadband

Optimum Business SIP Trunk Set-up Guide For use with IP PBX only. SIPSetup 07.13 FOR USE WITH IP PBX ONLY Important: If your PBX is configured to use a PRI connection, do not use this guide. If you need

Application Description Firewall in front of LAN Different Servers located behind Firewall Firewall to be accessible from Internet Load Balancer to be installed in a TRANSPARENT MODE between Firewall and

SSVVP SIP School VVoIP Professional Certification Exam Objectives The SSVVP exam is designed to test your skills and knowledge on the basics of Networking, Voice over IP and Video over IP. Everything that

For extra services running behind your router. What to do after IP change This guide is for customers who meet the following conditions: - Customers who have moved from a TPG Layer 3 plan to a TPG Layer

Application Note #38 February 2004 What is VLAN Routing? This Application Notes relates to the following Dell product(s): 6024 and 6024F 33xx Abstract Virtual LANs (VLANs) offer a method of dividing one

Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding This chapter describes the configuration for the SSL VPN Tunnel Client and for Port Forwarding. When a remote user accesses the SSL VPN

Multi-Homing Security Gateway MH-5000 Quick Installation Guide 1 Before You Begin It s best to use a computer with an Ethernet adapter for configuring the MH-5000. The default IP address for the MH-5000

Introduction The EdgeMarc 4508T4W combines multiple voice and data features into a single, easy to use converged networking router. It includes models that have up to 4 T1 WAN interfaces or a single Ethernet

WAN Failover Scenarios Using Digi Wireless WAN Routers This document discusses several methods for using a Digi wireless WAN gateway to provide WAN failover for IP connections in conjunction with another

Hosting more than one FortiOS instance on a single FortiGate unit using VDOMs and VLANs 1. Network topology Use Virtual domains (VDOMs) to divide the FortiGate unit into two or more virtual instances of

Networking 4 Voice and Video over IP (VVoIP) Course Objectives This course will give delegates a good understanding of LANs, WANs and VVoIP (Voice and Video over IP). It is aimed at those who want to move

1 VoIP support configuration First used in the mid-1990s, VoIP is an emerging technology for telephone calls and other data transfer. The concept is relatively simple: Use the multiple networks that comprise

How To Load balance traffic of Mail server hosted in the Internal network and redirect traffic over preferred Interface How To Configure load sharing and redirect mail server traffic over preferred Gateway

Smart Tips Enabling WAN Load Balancing Overview Many small businesses today use broadband links such as DSL or Cable, favoring them over the traditional link such as T1/E1 or leased lines because of the

IP Filter/Firewall Setup Introduction The IP Filter/Firewall function helps protect your local network against attack from outside. It also provides a method of restricting users on the local network from

How To configure WAN load balancing Introduction With the increasing use of the Internet to service core business functions comes the need for reliable WAN connectivity. A specific aspect of this requirement

This product can be set up using any current web browser, i.e., Internet Explorer 6x, Netscape Navigator 4x. D-Link DFL-900 VPN/Firewall Router Before You Begin It s best to use a computer with an Ethernet

Using VDOMs to host two FortiOS instances on a single FortiGate unit Virtual Domains (VDOMs) can be used to divide a single FortiGate unit into two or more virtual instances of FortiOS that function as